Application Error Disclosure hunting... (Passive 90022)

354 views
Skip to first unread message

Ian

unread,
Mar 22, 2019, 8:54:24 PM3/22/19
to OWASP ZAP User Group
I got this alert for one of our 500 error pages.  The plugin doesn't tell you which pattern was used to match, or the string it matched with which means I've got to figure this out myself.

I ran a string of commands to extract the string patterns from the patterns file:
grep -Po "\Q<Pattern type=\"string\">\E\K.*" application_errors.xml|cut -d '<' -f 1 > strings.txt

and another for the regex:
grep -Po "\Q<Pattern type=\"regex\">\E\K.*" application_errors.xml|cut -d '<' -f 1 > regex.txt

I saved the raw response to file by right clicking on the alert, save raw, response, all

I then ran two commands to search for the patterns:
grep -i -F -f ./string.txt ~/raw.html.raw
and
grep -i -f ./regex.txt ~/raw.html.raw
grep -E -i -f ./regex.txt ~/raw.html.raw

but nothing matched.  I've got to be close -- do I need to alter the regex patterns to be compatible with grep somehow?  Is there an easier way to find out how this plugin found what it did?

kingthorin+owaspzap

unread,
Mar 22, 2019, 9:15:01 PM3/22/19
to OWASP ZAP User Group
Look at the Evidence field of the alert, or the part of the response that is highlighted when you are viewing the alert.

hauschu...@gmail.com

unread,
Mar 25, 2019, 3:42:25 AM3/25/19
to OWASP ZAP User Group
I could be wrong, but I seem to remember reading that basically any HTTP 500 error will alert as Application Error Disclosure, since properly setup ideal servers should handle improper input with something in the 400 range (bad request, unauthorized, denied, not found, etc) whereas 500 is a catch-all that indicates (generally) that the server is still in some kind of default configuration...

Ian

unread,
Mar 25, 2019, 1:15:04 PM3/25/19
to OWASP ZAP User Group
Ugh ... how did I miss that!

One thing about the highlights though -- I usually see stuff highlighted in the Response tab -- I had though it was only doing that for script and CSS code, but I now see that "HTTP/1.1 500 Server Error" is highlighted in gray.

Ian

unread,
Mar 25, 2019, 4:29:41 PM3/25/19
to OWASP ZAP User Group
I thought application error disclosures were meant to disclose underlying software based on the error message?  Netsparker doesn't generate this alert.

Ian

unread,
Mar 25, 2019, 6:46:28 PM3/25/19
to OWASP ZAP User Group
Any chance we could have Zap give a different alert on generic 500 results? I double checked and Netsparker has a separate  "Internal Server Error" Low level alert.  (A third party recently scanned us so I get to see how Zap compares!  :) )

There were some other findings that Zap didn't see, but I'll post those separately (if you want).


Simon Bennetts

unread,
Mar 26, 2019, 5:16:20 AM3/26/19
to OWASP ZAP User Group
I'm all for making it clear that these are for 500s, and maybe having an option for supressing them - could you raise a new issue for this?
And also very happy to hear of findings from other tools that ZAP does not report - you can raise these as new issues as well :)

Many thanks

Simon
Reply all
Reply to author
Forward
0 new messages